Rapid7 Blog

12 Days of HaXmas: Finding shell_bind_tcp_random_port with Nmap and Ndiff

POST STATS:

SHARE

This post is the ninth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

A few months ago, contributor geyslan submitted a cool pull request for a random-port bind shell payload on x86 and x64 Linux systems.

In this post, we'll explore how to use this payload with our friends Nmap and Ndiff. Let's get hacking!

Why should I use this thing?

Well, if you can use a reverse shell or a traditional bind shell, do that! The primary benefit of shell_bind_tcp_random_port is its size. By avoiding the bind call, the payload is a fair bit smaller than your usual bind shell. This could be useful if you have a severe size restriction on your payload.

Metasploitable

We're using Metasploitable for our vulnerable host. Just boot up the VM with host-only networking enabled, and you should be good to go. In this case, Metasploitable is at 172.16.126.129.

Nmap

First, we need to get a list of open ephemeral ports using Nmap. An ephemeral port is just a port that the OS assigns automatically and temporarily. Our payload will bind to one of these ports. We use a little shell magic to parse the ephemeral port range in /proc/sys/net/ipv4/ip_local_port_range and feed it to Nmap. We also need to save the scan results to before.xml in order to use Ndiff later.

Metasploit

Finally, we can pop a shell with exploit/multi/handler. Just set PAYLOAD to linux/x86/shell_bind_tcp, LPORT to the port you found with Ndiff, and hit exploit! We already set RHOST globally when we used exploit/multi/ssh/sshexec. :)